Fix catastrophic backtracking (ReDoS) in inline link parsing

[thistehneisen]

Backtracking (ReDoS) in inline link parsing

Summary

The inline._inside grammar used by the inline link and reflink rules
backtracks catastrophically on balanced nested brackets. A single chat-message
sized input of the form [[[[ … x … ]]]] blocks the parser for seconds and
scales super-linearly:

Input size	Parse time (before)	Parse time (after)
4,004 chars (~4 KB)	~2,600 ms	~18 ms
6,004 chars (~6 KB)	~8,600 ms	~24 ms
8,004 chars (~8 KB)	~20,000 ms	~50 ms

marked() is invoked synchronously on the render thread by consumers (e.g. the
Mattermost web and desktop clients call it from formatText with no timeout or
worker). A single stored message of ~4 KB — well within the default 4,000
character post limit — therefore freezes the UI of every user who renders
that channel, thread, search result, or notification preview. Posting several
such messages produces a persistent, unprivileged, no-interaction
denial-of-service for all channel members. This is an availability issue and is
independent of sanitize / renderer configuration, since the cost is incurred
in the tokenizer before any escaping or sanitization runs.

Root cause

inline._inside = /(?:\[[^\]]*\]|[^\[\]]|\](?=[^\[]*\]))*/;

The bracket-pair branch \[[^\]]*\] uses [^\]]*, which also matches [.
That makes this branch overlap the outer (?:…)* repetition: for balanced
nested brackets there are exponentially many ways the engine can partition the
input across the alternation, and when the overall match ultimately fails (a
link requires ]( … ) / ][ref] to follow) the engine explores all of them.

Note inline.nolink (defined a few lines above) already uses the
non-overlapping form (?:\[[^\]]*\]|[^\[\]])* and is not affected.

Fix

Restrict the bracket-pair branch to [^\[\]]* so a single pair cannot itself
contain a [. This removes the ambiguity that drives the backtracking while
still allowing one level of [..] nesting in link text, and the ]-lookahead
branch is kept (re-ordered ahead of the catch-all) so the existing
"stray ] inside link text" behaviour is preserved.

-inline._inside = /(?:\[[^\]]*\]|[^\[\]]|\](?=[^\[]*\]))*/;
+inline._inside = /(?:\[[^\[\]]*\]|\](?=[^\[]*\])|[^\[\]])*/;

One-character-class change in effect; no API or output change for valid input.

Validation

• Existing suite: all previously-passing tests still pass
  (node test — 78/78, 1 skipped), including nested_square_link
  ([the \]` character](/url)`) and the existing nested-link / reference
  fixtures, confirming link parsing semantics are unchanged.
• New correctness fixture: test/tests/mm_redos_nested_brackets.{text,html}
  asserts a one-level nested link still renders and that a bracket bomb renders
  as literal text. It also serves as a hang canary — a future regression would
  make node test time out.
• New timing regression: test/redos.js asserts the previously-pathological
  payloads (balanced brackets, reflink form, a][ alternation, repeated nested
  pairs) each render in well under 250 ms.

Files changed

• lib/marked.js — the _inside regex (one line) + explanatory comment.
• test/redos.js — timing regression test (node test/redos.js).
• test/tests/mm_redos_nested_brackets.text / .html — correctness fixture.

---

Nils Putnins / OffSeq Cybersecurity
npu@offseq.com / https://offseq.com / https://radar.offseq.com

[coderabbitai]

Warning

Rate limit exceeded

@thistehneisen has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 45 minutes and 31 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c5289040-4d92-49ec-8f7c-f3d69aa9da84

📥 Commits

Reviewing files that changed from the base of the PR and between e4a8785 and 21ccdc6.

📒 Files selected for processing (4)

• lib/marked.js
• test/redos.js
• test/tests/mm_redos_nested_brackets.html
• test/tests/mm_redos_nested_brackets.text

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}